The term "Red Team" has surged in popularity in recent years, and we have seen an increase in prospective clients asking for Red Team services. However, the term "Red Team" means different things to different organizations, and the disparity in definitions can lead to confusion.

Our Definition of a Red Team

At Lares, we define a Red Team engagement as:

An objective-based test intended to assess an organization's ability to detect and respond to a threat actor within their environment.
Simply put, we simulate acting as an adversary in an attempt to execute a scenario that would present a significant risk to an organization.

Who Benefits from Red Team Engagements?

Our primary goal as engineers is to ensure that our clients get as much value as possible from an engagement. Organizations that get the most value from Red Team engagements have established information security programs extending beyond Vulnerability Scanning and Penetration Testing.

Ideally, companies interested in pursuing a Red Team engagement would have conducted maturity and visibility testing through a Purple Team, Insider Threat engagement or both. These assessments are a litmus test of an organization's visibility and response to malicious activity. Purple Team engagements allow for comprehensive coverage of adversarial tradecraft in a collaborative environment.

Insider Threat engagements are similar to Red Team engagements in that they are objectives-based and aim to assess an organization's response to malicious activity, but generally with shorter timeframes and testing confines that aren't present in a Red Team.

The diagram below represents what we believe to be the stepping stones to increasing an organization's security maturity.

Penetration Testing and Vulnerability Scanning are typically the first steps in maturing an organization's security posture. They provide extensive coverage to identify low-hanging fruit; their focus is to identify the attack surface rather than evade detection. Thus, it is common for an organisation to alert their security operations centre that a pentest or vulnerability scan is occurring to de-conflict any activities. At this stage, most organizations devise their remediation framework, stating how findings are handled and resolved.

Insider Threat and Purple Team engagements give organizations insights into what adversarial tradecraft they can detect. Insider Threats are an excellent way for organizations to dip their toes into a Threat Simulation without committing to a full-fledged Red Team. Purple Teams highlight current alerting capabilities and visibility gaps within the organizational defensive gaps and aims to improve these capabilities.

Stealth, Operational Security (commonly referred to as "OpSec"), and advanced tradecraft are keystones of a Red Team operation. Because of this, we feel that clients with well-established security programs receive the most value from these engagements.

Testing Objectives

My colleague Steve Spence notes in our Pentesting 101 series that the objective of a Red Team is to assess the organization's capability of detecting and responding to malicious activity within the network and not to identify as many vulnerabilities as possible.

Before the engagement, we work with the organization to establish the following:

• The objective(s) for the assessment - What does success for the Red Team look like?
• The White Team—This is a client contact (or contacts) knowledgeable of both Red Team and Blue Team activity.
• A Deconfliction Plan - A workflow to confirm that malicious activity observed within the network belongs to the Red Team and not a real threat actor.
• Rules of Engagement (RoE): What activity is considered acceptable during the engagement, and what is not?

The technical execution phase of the assessment aims to answer the following questions:

• Can a motivated threat actor accomplish the objective(s) put forth by the client?
• Can the Security Operations Centre / Blue Team identify the malicious behaviour?
• Can the SOC completely eradicate the threat from the network if the activity is detected?
• Can the SOC identify key elements of the attack to deduce the Red Team's actions, identify compromised assets, and initiate corrective action (e.g., cycling passwords)?

Scoping and Timeframes

We offer various security testing services at Lares, including Vulnerability Scanning, network and application Penetration Testing, and Purple Team and Red Team engagements. Red Team engagements will have the most comprehensive scope of any of our security testing services. If something is within your company's legal purview to attack, and unless it has been excluded, it is generally viewed as being in scope. The diagram below, again from our Pentesting 101 series, does a great job visualizing the scope and details provided to the testers compared to our other offerings.

Given the breadth of scope and the fact that stealth is emphasized, Red Team engagements are the longest-running. An Internal Penetration test (depending on the size of the environment) may run for a week or two or longer, and a Red Team in the same environment may run for four, five, or six weeks or longer.

Facilitating Access

Traditional network Penetration Tests typically involve shipping a device to a client, who connects it to their network and performing the assessment remotely from the device. Red Team engagements offer much more flexibility with how access to the target environment is obtained.

• Hack your way in - We're responsible for gaining access to the environment by attacking our way in. This may be through phishing / phone-phishing or exploiting a vulnerability in an internet-facing device.
• Physical Access—We covertly attempt to gain access to one of the organization's facilities to implant a device that will be leveraged by the Red Team to help them achieve their objectives.
• Assumed Breach - We'll skip past the "Initial Access" stage to save some time and reduce costs. Clients provide us access to the environment by executing a payload, providing a single-use VPN, a VDI session or operating in a 'stolen laptop' scenario where a laptop is shipped, and we operate as an assumed compromised user.

Each approach has benefits and drawbacks. We work with clients to recommend the approach that aligns with their goals for the assessment.

How Can We Help?

Here at Lares, we help empower organizations to maximize their security potential.

Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing, and coaching.

If you would like any further information, you can get in touch here or head over to the Lares.com/red website for more information about how we can help.